Why? Because in terms of security, it is a bomb waiting to go off.
Typically your database settings go in there, and potentially other
sensitive stuff (salts, service API keys, what have you).

By encouraging you to put a settings.py file in your project's root,
Django encourages you to make it easy to accidentally expose these
settings to the world at large.

You have to be very careful to avoid this.

Two obvious ways your settings.py can get out into the world:

check it into version control? oops! Better put settings.py in
your VCS' "ignore" file ... and go change your database config
since those revisions are probably still retrievable.

python setup.py register sdist upload ... oops!
You better put an "exclude" command in a MANIFEST.in file to
avoid this. (I didn't even know about that exclude command
until I almost put a settings.py file in a release on pypi.
I'd long removed it from git and changed the sensitive stuff,
but hey it's a python file, so setuptools still thinks you want to
distribute it!)